Risk transcends every aspect of business. The need to effectively and efficiently manage risk is a well understood, critical success factor in business, especially in functional disciplines such as finance, insurance, legal, marketing, and so forth. As these and other core business functions have grown more and more dependent on Information Technology (IT), managing IT-related risk has emerged as a critical discipline in running a successful business. Further, IT risk management is becoming a key driver for justifying investments in IT infrastructure and engaging in continuous service improvement programs.
The complexity of an organization's IT ecosystem makes managing IT risk an immense challenge. It requires specific subject matter knowledge at a component, system, and enterprise level. The knowledge required includes what issues may arise given certain conditions, what the measured consequence of these issues are, and how to prioritize and solve these issues.
IT Risk Management disciplines have primarily focused on specific issues concerning security, disaster recovery and project-related risks. Many of the existing IT Risk Management tools are based on the qualitative views of IT experts versus quantified analysis of data (such as what is used in more mature risk management disciplines related to credit, insurance, or medical risk management).
Managing IT risks demands a common means to identify, classify, measure, and communicate risk so that individuals across IT and business organizations gain a shared understanding of the risks and take appropriate actions. Regardless of the approach taken, IT Risk Management should assist in balancing the investment required to improve and upgrade IT with the appropriate return in business value from such an investment.